EU GDPR: compliance complexity will drive SMBs to the channel
Thursday, June 01 2017
Businesses large and small are scrambling to assess their General Data Protection Regulation (GDPR) readiness, with less than a year to go until its implementation on 25 May 2018. The new framework (see Canalys report, “EU Data Protection Regulation 2015: The proposed framework”) demands a reassessment of the everyday operational structure for businesses that handle personal data in the EU.
Large businesses in various verticals are well informed on information security regulations, and have dedicated resources to ensure compliance. With ransomware threats such as WannaCry causing havoc, shareholders will be more willing to accept increased data security and compliance budgets to protect their long-term investment. Smaller businesses have fewer financial and technical resources to implement the necessary safeguards. But all businesses are threatened by large fines, which for small or medium-sized businesses (SMBs) could mean foreclosure. While larger businesses may deal with larger volumes of personal data, increasing their risk, at least assessing their position will mean extending policies and strategies already in place. Many SMBs do not have such policies or even dedicated IT managers, and will find understanding the changes very difficult. Overall, the net effect on SMBs will be significant and many are turning to their existing relationships with channel partners for help.
Canalys expects this trend to accelerate, as SMBs realize they have little time left to implement changes if they are to meet the deadline. There is also pressure to ensure they can demonstrate compliance measures to remain attractive in the supply chain of larger organizations. Many SMBs see their channel partners as trusted advisors and will seek their advice at the earliest opportunity. But what holistic solutions can partners provide? Some are investing in growing or establishing compliance practices early on to meet the opportunity. But many cannot make large investments as yet and will be considering putting some GDPR strategy together that can use and build on existing resources. To some extent, small businesses will not be prepared to increase their security budgets significantly. Likewise, channel partners serving SMBs should consider a cost-effective, easy-to-follow approach, which does not overcomplicate an already complex problem.
Employee training should be central to partners’ strategies
Canalys recommends partners focus on the following when dealing with SMBs:
- Urge customers to act now. Educate customers that might be oblivious of the looming GDPR deadline via digital marketing. Make them aware time will be needed to create a plan of required measures, implementation and testing. Ensuring GDPR compliance is a journey and not a one-off fix.
- Keep things as simple as possible, at least to begin with. Partners should try to cut through the complexity and, as a first step, formulate a basic set of important questions to go through with customers to really understand the nature of their businesses and the extent to which they deal with personal data, working out where this personal data resides, for example, on-premises, in the cloud, etc. Also, partners need to understand which teams need to be focused on and audited, such as human resources or finance. Partners should offer initial compliance checks together with vendors. For example, Sophos and Symantec, which offer 60-second quick compliance assessment sheets that help channel partners with a traffic light system, help put things into perspective for customers. Partners should also formulate a plan that includes changes to data handling policies as well as implementation of data protection solutions, including encryption and data-loss prevention. Offering an initial basic plan that can grow in complexity over time will be an approach that SMBs should find agreeable.
- Employee training will be the difference between success and failure. Any security or compliance threat stems from user behavior. Channel partners should market and offer consultative training exercises for customers that want to have an independent party, with the necessary set of skills, come in and provide employee training. Partners should drive home to customers that user awareness will be key to long-term success. If employees have a good grasp of what personal data is, then they can understand what they need to do and the repercussions if they do not. Organizations can have all the solutions in place to prevent data leakage, but the weakest point is always employees or users handling the data. Misplaced USB memory sticks and similar devices remain the biggest threat. Channel partners must establish a compliance plan centered on establishing a sense of responsibility through regular employee training programs. Those tempted to implement complex, expensive measures may create new challenges and threats. Issues will arise when technology is too difficult to understand. Employees will also find a way around barriers. These will inevitably lead to security compromises. Partners must help customers see that a cultural shift is needed, which can only be achieved through better communication and cohesion across the business on data protection and its importance.
The GDPR presents a good opportunity for increased business for the channel in various forms, be it increased product volume sales or newly established consultancy streams focused on dedicated SMB training programs. Partners themselves need to consider their own compliance posture and, starting with their own business audit, will present a strong case study for initial customers. To provide the right advice, partners will need to carry out their own training. There are various independent training programs being held in many countries, which local partners can take advantage of. Partners can start by training a select few staff, and gradually increase the number of trained sales and technical staff as their training budgets grow, based on growing the number of compliance deals closed over a year. As time progresses, channel partners will decide on the viability of expanding their compliance practices and invest in new vendor certifications or hire in-house legal counsel to take a more in-depth approach, targeting bigger consultancy deals. To begin with, channel companies should work closely with their customers and understand budgets have not suddenly increased drastically. Partners will need to be clever at providing tailored yet simple to implement and manage systems that do not compromise the user experience.
For more information or to receive a copy: